How to restrict access to a PHP file?

Question

I\'d like to restrict access to a PHP file on my server. This PHP file takes data from an HTTP GET request and appends it to a file. Simple. But I don\'t want this PHP fi

Answer 1

If you don't want anything per-user, but only per-app, you will have to rely on a secret built into the application. Anyone disassembling the application will eventually be able to find that, so some obfuscation might help, but it won't keep determined people off your page.

That said, there is little point in using any public key crypto. As the app-side is what spoofers might be interested in, they'd already have access to the more valuable half of a key pair. So you might as well use some approach using a shared secret.

What you really want to check is the authenticity of the transferred data. So simply take the core of that data (i.e. all fields which really matter), concatenate them with the shared secret, hash the result and transfer it as a message digest. The server performs the same calculation and checks that the computed digest matches the transferred one. If it does, the sender of that message must have known the shared secret.

There still is some chance for a replay attack, i.e. someone recording a valid message and repeating it later on. You can detect exact duplicates on the server side, and prevent delayed replay by including a timestamp in the signed part of the message. If your server allows for a huge difference between client and server timestamps, it will have to keep duplicate information for that same amount of time. If it only accepts small differences, it can work with a smaller duplicate cache, but users with malconfigured devices might be annoyed as the server is more likely to reject their requests as being too old.

One more note: you wrote about a GET request causing a write to some file. I would always associate some state-changing operation with a POST instead. If the app is your own, it doesn't matter that much, but browsers are known to retransmit GET requests without asking the user, thereby causing duplicate requests for some action.